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ABSTRACT 

This paper deals with logics of pr^rams* The ot;»)ective 
is to fdrmalize a notion of progr»n daso^tton, and to give t>oth 
plausible (semantic) and effective (syrriactk) a1t#rja f(H^ the 
notion of truth of a (Ascription. A novel featw-e of tt«s 
treatment is the development of the mathematics tmd^lytr^ 
Floyd-Hoare axiom system tndepmdently of surfi systems. Other 
directions that such rese^^ch m^ t^w are irfso oomidefed« 
This paper grew out of, and is intended to be usable as, class 
notes 1271 for an introductory ^mantics ^irse. The three 
sections of the pi^r aret 

1. A framework for the logic of pri^rwns. 

Programs and their partial corr^tness theories are 
treated as brnary relations on states and f<H^m(Aae reflectively. 
Truth-values are assigned to partial correctness ^sertions in a 
plausible (Tarskian) but not directly usiri>te way. 

2. Particular Prc^rams. 

Effective criteria for trtrth ^-e ^taMished for some 
programs using the Tarskian criteria as a bencNnark* This leads 
directly to a sotmd, comfrfete, effective aKfom system for the 
theories of these programs. The <«ff{ctrfttes inv€*>«id In finding 
such effective criteria f<)r other {KOgrams are ex|Mor#d. The 
reader's attention is drawn to Theorwas 4, 16, 18 Md 22-24, 
as worthy of mention even out of the ccmtext in wWch they now 
appear. 

3. Variations and extensions of the framework. 

Alternatives to binary relations for both programs and 
theories are speculated on, and their po^tble r^s in semmtics 
are consictered. Ue discuss a hierarchy of varieties of programs 
and the importance of tNs hierarchy to the issues of 
definabiKty and describability. ttodrf to^ h omaktered as a 
first-order alternative to Floyd-Hoare logfc. Ue give 9n 
appropriate axiom system wNch is OMy^lete for loop-free programs 
and also puts conventional predic^e c^i^us in a (Afferent 
light by lumping qumtifiers with n^-k^ic^ assigmients rather 
than treating them as logical connpts. 
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SEflANTIGAL CONSIDERATIONS ON aOYD-HOARE LOGIC 

1. A ffamework for the logic of DfOttr»m$. 
1.1 Semantics: what > program is 

In this paper we restrict our attention to programs that 
primarily manipulate and test their environment, m contrast say 
to the pure lambda calculus, wN»se semantics need not depend on 
the m>tton of a changing environment. Floyd-HoM^e k^ic is aimed 
at the former Kind of program) » wWch does not rea<£iy lend itself 
to direct description usir^ classical logic. LanMa cdculus and 
pure LISP programs fare much better with classicid l<%ic. 
However, the manipulate-am)-*test paradigm dominates the 
programming milieu, and the popularity of the Ftoyd-Hoare method 
for dealing with this situation makes a foimdatiMal study of the 
method worthwhile. 

The term semantics will connote for us the relation 
between word and object. Two such relations Bppear below, as 
concrete program and abstract program (cf Scott [31]), and as 
formula and truth-value (cf TarsKi [34]). Uhen necesssH^y we will 
refer to these respectively as O-semantics and ^--semantics. 
These reflect what we feel sN>uld be the two m«n concerns of 
theoretical semantics, namely abstract programs and their logics. 
This section (1.1) deals with the former, althoiq[h we do not 
explicitly discuss concrete programs. (Section 3.1 raises the 
possibility that the concrete/abstract cfichotomy is too narrow a 
point of view for El-semantics.) The rote of section 1.1 is to 
provide a rigorous foundation for the remairnler of \he paper, 
which is concerned (except for section 3.1) with logics of 
programs. 

Binary Relations. Ue shall use binary relations for 
programs along lines proposed by Eilenberg ami Elgot [131, cte 
Bakker [9,10,111, and (with relations replaced by functions) 
Scott [9,311. Ue find it convenient to use them also for partial 
correctrwss theories of programs. 

Ue define a binary relation R from a set A (the domain 
of R) to a set B (the range of R) to be a subset of AxB [101 
(as opposed to a function from 2^ to 2^ [13J , which is not as 
convenient for our purposes). Ue further define: 

aRb (a,b) c R 

aRbSc aRb a bSc 

RUS, RnS, R-S as for any sets, infinite union and intersection 

included 
R«S {(a,c)|3b[aRbSc}> (composition) 



R^ C(b,a)}iRb> (converst) 

XRb A aRb for XcA 

•cX 
aRY A aRb for YcB 

bcY 
XR {b|3a€X(aRbl> f or Xd^ 

(ox^tton: R s ^} 
RY <a|3bcYtaRb]> for Y^ 

X^ {PIXH'} (this 1$ an oxception to XR above) 

Symbds* Central to the notion of environment is the 
symbol and its value (or interpretaticm, or denotation). Ue 
shall confine our attention to fufKtion symbols, predicate 
symbols f and logical connectives, ir^w^preted respectively as 
functions, predicates, and either bo<riean functions or binary 
relations (see (2) below) , all of fixed arity. Ue denote ttie 
collections of such symbols as 3 , f , and G respectively, 
and use subscripts to identify the collections of a given arity; 
thus ^2 *^ ^^ collection of binary function symbols* will 
always include a, -i and 3x for alt xc3q (i.e. first-order 
quantification, though very little of what we prove chaises if we 
permit 3x for all X€3) , white 9 witt j^ays inchjde » . Ue 
let denote ttie (single) domain for the functions and 
predicates. 

Ue adopt the following notations. 
A-^B the set of alt functions from A to B ; 

f:A->B f c A-*B ; 

A AxAx...xA (Cartesian product of k A*s) ; 

Expressions. Expressions are trees whose vertices are 
labelled with symbols such that: 

(i) each symbol's arity equals the out-degree of the vertex it 
labels; 

(ii) going from the root to a leaf, the sequence of syivAKM-types 
encountered forms a contiguous substring of {J<V3*. 

Ue use the following concepts and notations. 

Formula An expression whose root's label is in CUP; 

Term An expression whose root's l^>el is in 3 

t The set of expressions? 

£| The set of formulae of £ ; 

t^ The set of terms of t ; 

Ground Describes an expression contmmng no modalities. 

Useful abbreviations and their expansions mrei 

PvQ -i(-»Pa-»Q) ( mutatis mutandis for o, s, Yx) 

true x=x ( mutatis mutandis for frtse) 

g (Ei,...,E^) 



|rF Ej=Fj A ... f^^^'f^ 

9r^C 'dNE« 9 • • • »arE|^l 

J^ .JS 4 JlS^ • • • JS^ 

Interpretations, Ue now assign meaning to expressions, 
along the lines spelled out by TarsKi C341. An int^^rpretation 3 
(which for us will play the role of » environmertfJ specifies for 
each symbol A the value A^ of A in 6 . Qvtn 3 , we can 
then infer the value in d of an expresskm E « A(F) . Ttie value 
will be written $^ (slightly generalizing the usual usi«e) , and 
is defined by 

*A(F} 3 Ag(*F) . (1) 

Note that the araument F on the left becomes *f on 
the right regardless of what A i$. Under this concfition we say 
that A is referentially transparent t28). 

The only exception to (1) is when A is a modality > 
which is a unary logical connective wN>se interpretation A 

(independent Of 3) is a binary religion on interpretations. 

(Alternatively we could say that its interpretation A^ is a set 
of interpretations depending on 3 f namely those accessible from 
5 via A , in which case 3A| W0i4d be written } c A^ . ) The 
definition becomes 

3NA(P) s V }l=P (2) 

3Ar 

This asserts the existence of an interpretation | , accessible 
from 3 via A , in which P is true. It is KripKe's [20] 
semantical interpretation of what is written by 
modal logicians. Such an A is not referentially transparent; 
we then say it is referentially opaque (281. An immediate 
application is to the definition of modalities of the form 3x 
where x c 3q and 3x is interpreted as \he equivalence relation 
relating pairs of interpretations differing only in their 
assignment to x * The section on programs as l>inary relations 
will suggest a further application. 

Given a set X of interpretations we shall write XJ=P 
for A ai=P , Xl= for {P|XW»> (the theory of X) and ^P for 

w€ A 

<5|3I=P> . 

Programs as binary relations on states. Ue have thus far 
defined only conventional concepts from logic, uslr^ more or less 
conventional definitions. Ue now ctefine a transition to be an 
ordered pair of states, where a state is defined to be w 



interpretation. Intuitively a transition represents an initial 
and a final state. Following do Bakker [3,10^1} » we define a 
program to be a set of transitions^ i.e. a binary reiation on 
states » 

Note that this definition mates the interpretation of a 
modality a program. Given a prc^ram a we let <a> denote the 
modality whose interpretati<m is a, and ^rf>reviate -t<a>-^ to 

(al » in imitation of the symbols of classical modal kq(ic. A 
little thought revesis that talP means essentidfy "after 
executing a, P hdds," or more precisely, 'Bv^ry trmsitton from 
tNs state leads to a state satisfying P/ wMIe <a>P means 

"there exists a transition from tNs state to a state satisfyir^ 
P." In this light, another way of viewing our interpretation of 
3x is as a program that non-determirristicalty assigns an 
arbitrary element of to x . 

Restrictions on interpretations. If every symbol were 
always to have the same value there could be but one state and 
hence but two programs, the ictentity program I and the empty 
program f . Useful assignment statements woi^d not be possible. 
Conversely, if no restrictions (save those of arity and type) are 
placed on the possible values of symbols (as in pure predicate 
calculus), a wealth of programs is possible. Ue would then be 
studying uninterpreted program schemes. Uith the exception of 
Theorems lG-18 (and in some sense Theorems 4 and 5), our 
results are independent of where one lies in this spectrum. When 
we use familiar symbols (e.g. a, -i, 3x, », <, 0, 1, +, -, ...), 
these will always be assumed to have their standard 
interpretation (which in practice is a function of whett^er is 
the natural numbers, integers, reals or whatever). The universe 
U of possible states is thus a fimction solely of D, 3, 9 and 
whatever restrictions are in force on interpretations of symbols. 
Uhen m=P we shall say that P is valM. 

Ue distinguish between symbols with a single fixed 
standard interpretation, symbols wN)se interpretation can be 
changed by a program, and symbols in neither category, by calling 
them respectively standard symbols, assignables and labels. None 
of these distinctions are relevant to the statement or proof of 
most of the theorems of Section 2, but they are important in 
interpreting those theorems. For example, knowing that a symbol 
is a label means that we know it cannot change during program 
execution, and hence it can safely be Used to natra, say, input 
values in both the antecedent and the consequent of a partial 
correctness assertion. 



1 • 2 Logic: how to describe a program 

So far we have said what a program is, a Il -semantical 



concern* Ue now consider ways to talk about programs » a concern 
of logic. 

Partiat correctness assertions* A partirt correctness 
assertion (pea) is an orctered pair of formdae of Im , called 
respectively the antecedent and ttie consequent* Pea' s were first 
studied carefully by Floyd C14] , who called them verification 
conditions. They were later ftffther popularized by Hoere QBJ. 
Though they do not constitute the oi^ possible description 
language, as we shall see in secti<m 3, and also are lop-sided in 
their ability to discuss termination (ttwy can only discuss 
non-termination) y they are neverthetess of consideriA^ practical 
and theoretical interest. Ue stwll refer to program-oriented 
logics whose language is t^ as Floyd-Hoare logics* 

The meaning of a pea is defined as an extension to the 
Tarskian definitions (1) and 12) (^--semantics). Ue extend *= 
so that it is defined not only on Ux£ but also on iTxtf , as 
follows: 

(3,J)I=(P»Q) s (a=P D |H1) (3) 

That is, a transition satisfies a pea, or the pea is true of the 
transition, when the truth of the antecectent before the 
transition implies the truth of the consoDfuent after. Ue refer 
to these two usages of t= as unary and binary respectively; more 
generally, we distinguish conventional logics from Fioyd-Hoare 
logics by calling them respectively unary and binary logics. 
Unary logics deal with static situations, binary logics with 
dynamic situations. 

For a set a of transitions (i.e. a program), a^=(P,Q) 
means that {P,Q) is true of every transition in the program a; 
we then say (P,Q) is true of a , and that a satisfies (P,Q) . 
Similarly, a^ denotes the set of pea's true of a , which we 
shall call the partial correctness theory of a, abbreviated to 
Ca} (following Hoare [16] , but using boldface to distinguish C ) 
from set brackets < >). Since ta) is a set of p^rs of formulae 
we can treat it as a binary relation on £. and write PCa}Q for 
al=(P,Q) . 

One can think of (P,Q} as providing an upper bound on 
programs, in the sense that the programs satisfying (P,Q) 9re 
just the subsets of N(P,Q) . In this role, (P,Q) can assert 
non-termination, but because fN(P,Q) for any (P,Q) , it cannot 
assert termination. 

The Duality Principle for Programs. In static logic 
there is a duality between true and false. In dynamic logic a 
similar duality obtains between forward and biK:kward execution of 



programs. The (easily checked) Duality Principle for a program 
a is 

Crj = ^CaJ" (0) 

where -i.(p,Q) is defined as {-.P,tQ) . Thus PCa"JQ Is 
equivalent to -^QCa)-!? . This principle can occasionally 
simplify discussion of forward execution by reducing it to 
backward execution or vice versa. The axiom of modus tollens in 
static logic (aob = ibD-ia) can be thought of as the duality 
principle applied to the program I . 

Ueakest Antecedents and Strongest Consequents. He 
observed earlier that [aJP could be interpreted as "after 
executing a, P holds." It follows that {[alP)Ca3P holds. 
Moreover, no weaker antecedent than ta]P will permit the 
consequent P; indeed, if 3K[a]P then S^<b>^ , so there exists 
I satisfying 5a| such that i\^P . Ue call any formula logically 
equivalent to laJP a weakest antecedent (Oijkstra tl21) of P 
via a . This is summarized by 

PCa3Q sj=(p o Caiq) (U) 

By the duality principle (0), all of the above holds 
equally well for -.PCa""}{nta]P) , and hence for PtaJ(<a">P) . 
He call any formula logically equivalent to <a"*>P a strongest 
consequent (Floyd [IB]) of P via a . The dual of (U) Is 

PCaJQ Hjs^a->P d q) (S) 

Though we have given syntactic characterizations of 
weakest antecedent and strongest consequent, these translate 
immediately into semantic characterizations by virtue of our 
having already specified the semantics of modalities. This 
approach is slightly more convenient to work with than defining 
the concepts directly in terms of interpretations, particularly 
since we need the concept of modality for other purposes. 

Tidy Programs . Including the modality <a> in C is 
not really cricket, since the whole idea of Floyd-Hoare logic 
becomes superfluous (see section 3.2 for details). Ue shall 
limit (3 to A, -1 and 3x for all xcSq . In this case we may 
ask whether t^ contains an^ formula logically equivalent to [a] P. 
If for a given program a the answer to this question is yes for 
all Pcfp we say that a is backward tidy. (Schwarz t32] uses the 
terminology "backward exactly connected".) The dual epithet is 
forward tidy (Pratt [27] and independently Schwarz [32]). Note 
that the concept of tidiness finds no application in de Bakker's 
and rieertens' [11] O-semantical treatment of partial 
correctness, where for an "antecedent" VcU they define the 
strongest "consequent" via a to be Va , which will always be 



defined. Uhile elegant, this is not logic, that is, the concept 
of language does not appear x they are talking at>out a different 
though closely related problem. 

A program that is either forward or backward tidy we 
shall call tidy; when it is both, we shall call it very tidy. 

Uhen a is forward tidy it is convenient to have a 
function a=> : t^-^t^ , such that a:=> takes P to a strongest 
consequent of P via a . Ue call a=> a forward tidiness 
function of a . If there exists a recursive a=> we shall say 
that a is recursively forward tidy. For convenience we will 
sometimes treat a=> as a binary relation, writing it as (a=>) . 
A backward tidiness function of b (if any) is written <=b ; 
(<=:b) will denote the converse of the relation corresponding to 
the function <=b . The following facts formalize this. 

3Q{P(a=>)Q A Qs<a">P) if a is forward tidy (F3) 

VQ(P(a=>)Q 3 Q5<a->P) (FV) 

3P(P(<=b)Q A PstblQ) if b is backward tidy (B3) 

VP(P(<=b)Q D P=[b]Q) (BY) 

A program may have many tidiness functions, any one of 
which will serve our purposes. The following is useful. 

Tidiness Duality Lemma (TDL): Program a is forward tidy if 
and only if a" is backward tidy. 

The following lemma supplies one valuable role for 
tidiness; see Theorem 7 below for another equally valuable role. 

Tidiness Characterization Lemma (TCL): 

(a) Let a be forward tidy. Then taJ = (a«>)«»£IJ . 

(b) Let b be backward tidy. Then Ib3 = lIJo{<=b) . 

Uith this lemma, to know a tidiness function of a is to 
know the theory of a , or at least to reduce the problem to 
knowing the theory of CI) in the sense of Theorem 12 below. 

Ue have now completely specified the notion of truth for 
pea's with respect to a given program. Note that this definition 
is plausible (what simpler rigorous yet direct definition of 
truth could there be?) , but not accessible (evaluating the truth 
of PCa3Q directly from the definitions may bog down in the 
infinities of either the set a of transitions (when checking 
tt=(P,Q) for each t c a) or the universe U of states (when 
evaluating 3x[P])). Hence we would like to trade off 
plausibility for effectiveness, leading to an axiom system for 
Ca3 that is sound, complete and effective. This trade-off has 
its analog in unary logic. In both logics this gives rise to the 
need to distinguish truth and proof. 



In general Ca) is not accessible in the ri>ove sense; 
however, in some simple yet useful cases, fa) is quit« 
accessible* The following stction focuses on such speciiri cases. 



2* Partict^ar oroyrams 
2.1 Basic Programs. 

Ttw Identity and Empty Programs. The ernp\y relation 
f , containing no transitions, md ttie identity relatton ly , 
which we shatt henceforth jrt>brevtate to I » 9r0 two simple 
programs of particular interest. TNse are characterized by the 
properties zUf « fi}9 = a , a»f » f<»a « f and a«I « I-a « a . 
Thus they resen4>le - and in fact 9re - the addith^ and 
multiplicative identities respectively of a semi-ring (rir^ with 
no additive inverses) with addition operator U and 
multiplication operator • . 

tAH proofs in this section are relegated to m appefKlix.) 

Theorem 1. Cf) = £: . 

Theorem 2. £IJ x <(P,Q) lU|r(PDQ)> . 

For convenience, rather than referring to UN when we want 
to talk about the set of valid formulae of i^^y logic we shall 
use €1} • Though this implies a restrictkm of t^ to 
implications, tMs is a trivial restriction in our case. (Recall 
Floyd's remark [151 : ** One might say facetioi»ly that the subject 
matter of format logic is the study of the verifiable 
interpretations of the program consistir^ of the null 
statement.**) 

Tests. A test is a formula P of t , and (tenotes 
the program 

IPl « lyftl^P) (T) 

Thus tPl will execute (without side effects) just when P is 
true. (The C 3 is borrowed from Scott 131].) Though we have 
reserved the word "test" for P itself, we shall iriso refer to 
EPl as a test when the meanir^ is clear. (%servir^ that I » 
Ctruel and f » [false] allows us to sirt>sw»e mwty theorems or 
axioms about I and f under those ^>out tests. 

Theorem 3. Let R be a test. 

(a) <tR3">P s RaP . (Forward tidiness) 

(b) [[R]]P s RdP . (Backward tidiness) 



The Tidiness Characterization Lemma ^lows us to deduce 
the remainder of CCR]} . 

A ground test has no modidities/ and corresponds to the 
sorts of tests permitted in, say, ALGOL. Though the above 
theorem did not rely on tests beirm ground, when we come to 
exhibit particiriar programs to mi^ a point or prove a theorem, 
we wiH restrict ourselves to groimd tests. 

Assignments. An assignment is a pair of terms (F{§) ,T) 
of £ , corresponding to the left md r^t sides of a 
conventional assignment statement. No toss of generality ensues 
from parsir^ the left-hand side as F(gh alt OKpressions can be 
so written. Uhen | is a 0-tuple we have simple variMrfe 
assignment; otherwise we have array assignment. Smce the array 
arguments are not constrained to t»e integers, this encompasses 
the notion of record as in, say, P^cal {35J . For Ftoyd-fteare 
logic no distinction need be drawn between fuiKtimi and arrays. 
The correspondir^ program is a function of type U-4J , wNch of 
course is just the special case of a binary relatkm on tJ where 
each element of U appears in the relaticm as the first cmnponent 
of a pair just once. It may be deHned with the md of X-*notation 
thus. 

CFtSl^-T] m X5.AA.if A4F then A^ (A) 

else Xs.if £ i 0Ng then A^ts) 
else dNT , 

(Note; s and ^ agree in arity.) 

It will ht\p in following tNs definition to lieep in mind 
the following types of functions: 
CF(S)*-T1: U-4J 
9x 3-»{D*-4D} (at least in INs case, with only terms involved) 

It should be remarked that tNs is not meant as an 
interpretive definition of assignn^nt in the sense that to 
execute an assignment one executes the body of the definition. 
Rather we are (tefinir^ a mathematical object, which the body 
uniquely specifies given U. No detati of ttiis <^ject may be 
changed without doing violence to the intent of our definition, 
though of course as in any definition the wordir^ of the 
definition may be varied. 

Before proceeding to a characterization of CtF(S)<-TlJ 
we introduce the notion of substitution, suitably generalized to 
handle arrays. Ue define [T/F{Z)JP (abbreviated as P'), the 
result of substituting the expression T for the st4)trees in P 
with root F , as follows. 
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F(E)' 


. EVZIT 




(SI) 


A(E)' 


- A(|') 


non-modal A^F 


(S2) 


(aiJp) ' 


« 3y{{Iy/xJP)') 


new y 


(53) 



SI performs the substitution for F ; its right side 
simplifies to T when F is zeroary. Clearly |* is 
(Ej* ,••. ,E|^*) . Substitution of this for Z in T means 
substitution of the whole tuple wherever Z occurs in T • Z is 
not a tuple of t but rather a place-holder (for the arguments 
of F ) that we shall employ below in instances of T . 

32 caters for referentially transparent symbols. The 
only modality we provide for is 3x as in S3, which is 
sufficient for our purposes. (It is easy to check that 3 may 
be replaced by V in S3 with no other modification since -* is 
referentially transparent and covered by S2.) 

(When P contains assignment modalities (not the 
case in this paper), a difficulty arises in extending S3, namely 
that of generalizing renaming of bound variables. The reader 
interested in pursuing this further might consider the supposedly 
valid formula X=0 z> IX+l/Y] tX*-X+2] (Y=1aX=2) , which is in 
fact not valid if the substitution is performed naively. This 
may be transformed to X=0 o [X+l/Y] (Z«-X+2] (Y=1aZ=2) to avoid 
this problem, along the lines of S3, but is this desirable? The 
reason this is not a problem for 3X thought of as <X4-RAND0n> 
is that RANDOM is independent of X , so renaming it to 
<Z*-RAND0I1> , or for that matter renaming <X*"1> to <Z^1> , is 
not as distressing as renaming <X*-X+2> to <Z«-X+2> . Clearly 
we cannot rename it to <Z4-Z+2> without renaming other 
occurrences of X possibly outside the scope of the 
substitution, as in the example where we have X=0 . It would 
appear that renaming to <Z*-X+2> is our only option. But then 
what happens in the case of array assignment? Ue would 
appreciate seeing a solution to this problem.) 

In addition to substitution we need a temporary addition 
to 3^ , namely IF-THEN-ELSE, a peculiar symbol taking a formula 
for its first argument and terms for its second and third 
arguments. It is removed (in order to yield an expression of £ ) 
by the following transformations, which move it up the tree using 
the first two transformations until all its arguments are 
formulae, permitting application of the third transformation. 

G(jF.R_THEN_Ej.ELSE F.) 

^ IF R THEN G(E) ELSE G(F) for G e 3UP ; 

E ^ IF R THEN E ELSE E ; '"(to facilitate preceding rule) 
IF R THEN S ELSE T -^ (RaS)v(hRaT) for S,T c £, . 

IF lemma. Evaluating 5NU when U is a formula containing 
IF-terms yields the same truth value whether IF is first 
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removed by the above transformations or left m place and 
evaluated using 

3^UF P THEN S ELSE T) » if *P then *S else *T, 

The foiiowirv repeats joint work with R* Me [271* 

Theorem 4. Let FlgJ^-T t>e an assignment. 

(a) <fF<S)-Tl->P 1 3tstP* A s»g' A F{s)*Tn 

where E' - fciF J«£'THEN t aSE F{;^))/F(J)1E 
Cb) {IF{J)4.T1]P m P- 

where E" - ttIF 1^% THEN T ELSE F(J))/F{y]E . 

Uhen F is 0-ary, IF J.^ THEN t ELSE F(J) can be 
simplified to t , giving Floyd's tlSl construction of the most 
general consequent of an assignment statement as a special case, 
and IF Z=S THEN T ELSE F{J) can be simpHfied to T , giving 
Hoare's (161 b^Kward substitution rtde for ^signment as a 
special case, namely that 

[X-T]P s CT/XIP . 
(Ue shall often abbreviate [Cll to CI.) Fortuitously [X^T] 
and [T/X] are much alike , and we rely on *- versus / to 
disambiguate them. Actually » since they are equivalent, ttie 
only reason one would want to distinguish them is when one wants 
to stress that [T/XIP is an abbreviation for sometWng in t 
while [X*-T]P is an unabbreviated formda of moM logic. Thus 
(X*-T] is semantic inasmuch as it has Bf\ interpretation under l=, 
while tT/X] is syntactic in that it specifies a transformation 
on an expression. 

Lambda-calculus adherents will note the obvious 
similarity between [X«-TJP and (XX.P)T ; our above equivalence 
corresponds to the syntactic beta-reduction rule of the 
lambda-calculus. Our generalization to 9^r9y assignment gives ttie 
appropriate rule for a lambda-calculus with arrays where single 
array elements can be bound, as in Xa(y).a(x)4^1 , where due 
regard needs to be given to whether xay . 

Second-Order Assignment. Ue may call the at>ove programs 
first-order assignments because indivickials of are being "moved 
around. " A second-order assignment might be a pair of function 
symbols of the same arity, and wotrid permit wtwiesale assignment 
of a function to a function symbol of the same arity. Thus if F 
and G were both binary, F*^ would chmge the whole interpretation 
of F, not just its value at one fKiint. The program CF«-G] would 
then be 

X3.XA.if A/F then A^ else G^ . 

This notion of second-order assignment is not as general 
as it might be. For example, one might want to perform F^-G^H 
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where F,G,H are ail unary* However, tNs would introduce higher 
type functionats (in this case composition) into the language, 
which would make matters more con^ritcated then we mtB willing to 
allow here* (TNs is not to imply that CF«*G*H] is not tMy - 
it is backward tidy» by a variation on the argtment in ttw 
proof of the following theorem, that tF*4il h backward tidy J 

Thinking of the fH^st order <|umtifter 3x as 
<x«-RAfKX}n> , we can think of the second-order <|wntifier 3f as 
the second-orcter assigmnent <f<4MNQ0HFllNCTI0N> . TNs 
illustrates just how close oir use of **secoiid-ordbr" is to the 
convention^ use* 

Ttieorem S* Let F*^ be a second-order assignfr^nt. Ttien 

tlFf^llP » [G/FJP 
((G/FI is a convenient iriMl>revtatiM for CG(p/F(i[}].} 
Hence second-order assignment is backward tidy. 

Open problem* Is F^J always forwM^d tidy? 



2*2 Loop-free Programs* 

Union* i4e have already defined the union of two t>inary 
relations as being conventional set uniiMi, takir^ advent iq(e of 
the representation of relattons here as sets of transitions. 

Theorem 6* CaUb) = CalnCb} . 

Note the exact analog of this binary logic theorem in unary 
logic: in both logics, "the theory of the union (of two subsets 
of either £^ or £p is the intersection of the theories*" In 
contrast, there is no analog of the fettowing theorem in unary 
logic, in line with the idea that comp^tion is a dynamic rattwr 
than a static operation. 

Composition. Again, we have dready defined the 
composition of two binary relations* 

Theorem 7A. ta<»b3 o Ca3'lb3 * 

The D cannot be strengthened to « without knowing 
more about a and b * For example, let V^ have no P c 
£j satisfying >=P = V . Let a « ly » <(5,a)|icV> and let b « 

Iy_y , so that alib s ly and aOb « f . Then a»b » f , so 

2 
Ca<>b) is vacuously tf , the set of all pea's, including 

(truejalse) . But by the construction there can be no P 
simultaneously satisfying truet alP and PCb 3false , so 
(truejalse) cannot be in fa)«Cb) , wheiKe fa*b} d Ca)*Cb) . 
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Neither a nor b in tNs exatiqtle is ttdy» and in f^t 
we can strengthen theorem 7A as fcrilows. 

Theorem 7> Ca*b) => fa}*(b) When a is forward tkly or b Is 
backward tidy* 

Theorem 8. 

(a) If a^b are forward tidy, so are irtib and a-b ; 

(b) If a,b are backward tidy, so w'e tfib md a*b • 

Loop-free programs* The significance of union and 
composition is that, together with tests and assigmnents, they 
allow us to synthesize the abstract prc^rams that correspond to 
loop -free flowcharts. The correspondence between the two may be 
formalized as follows* Define a ftowch^-t to be a directed graph 
with edges lat>elled with tests and assignments (cf [171 ) , and 
having a start vertex and a set of finirf vertices. Take the 
corresponding binary relation to be the uraon, over ail paths p 
from the start vertex to a final vertex, of the composition of 
the sequence of instructions along p * In the case of loop-free 
flowcharts, i.e. directed acyclic graphs, there can only be 
finitely many such paths, so such an abstract program can be 
synthesized from tests, assignments, finite umon and 
composition. The foregoing theorems then tell us: 

Corollary 9. AH loop-free assignment-and-test programs are very 
tidy (possibly excepting forward tidiness for second order 
assignment). 

So far we have considered only the programming corwtructs 
of tests (subsuming I and f), assignments, finite union and 
composition. Ih could proceed to consider further constructs 
such as if-then-else along the swne tines. However, our 
preference in this case is to consider "if P then a else b" to be 
an abbreviation for "tPl«>a U I-iPJ<»b" , much as we considered 
VxP to be an abbreviation for -^Ix-^P . Sinrilarly, we would 
regard the goto construct as a notation for describing flowchart 
programs textually, provided this gave rise to acyclic 
flowcharts, allowing us to further trwislate the flowchart into a 
program involving only tests, assignments, finite union and 
composition. (Ue discuss the case when the goto gives rise to a 
loop later, under the heading of regular programs.) 

If one wanted to be more formal one might distinguish 
translational semantics from O-semantics, classifying our 
definition of if-then-else as being of the former kind* Tfw 
economies of description possible with such translational 
definitions do not need stressing. 

Recursiveness. Tidiness by itself does rrot guarantee 
usability of the tidiness functions* Ue say that a is forward 
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(backward) recursivety tidv when a«> (<«a) is recursive. In 
the following we use "many-oro reAKiWHty* (301 1 we say 
Xs^Y when there exists a recursive fwctlon f such that x c X 
iff fCx) € Y . 

Theorem 10, CaUbJ £^ CaSxfb} (Cartesian product). 

Theorem 11. 

(a) If a is forward recurstvdy tidy, fa»bJ S^ CbJ . 

(b) If b is backward recursively tidy, Ca*bJ S_ CaJ . 

Theorem 12. If a is recursively tidy, C«} $_ CI J . 

Theorem 13, Instructions are recursively very tidy. 

Theorem 14, If a,b mre forward (backward) recursively tidy, 
so zre aUb and a«b . 

By themselves these theorems ^e somewhat dull. Taken 
together, however, they yield the following interestlr^ result, 
used to advantage in King's thesis tl81, usii^ backward tidiness. 

Corollary 15, If a is a loop-free assignment -*and-test program, 

faJ<Cn . (Note that CI3" « CI}xCI}x...xCI} i^ CIJ , 

for any n, since the n questions about membersWp in CIJ can be 
rephrased as a single conjunction.) 

This asserts that to decide whether (P,Q) is true of a, 
it suffices to ask whether a given first-K>rder precRcate calculus 
formula holds. 

It follows that the theory of programs without loops is 
no less tractable than the "theory of the underlying logic." 

Axiom Systems, Tte above results »re quite strong, 
promising recursive reductions to CIJ . If we do not mind 
weakening this to recursive enun^r^iltty, we can write out a 
simple non-deterministic enumerator (or axiom system) for the 
pea's true of a given loop-free program. 

Al, CIJ , (i.e, we take ail of CIJ as axioms.) 

A2. PCaJQ, PCbJQ H PCaUbJQ . 

(This is equipollent with Hoare's PCaJQ, P'CbJQ' h 

PAP'CaUbJQvQ*.) 

A3. PCaJQ, QCbJR h PCa-bJR . 

A4. QCPJPaQ (or PdQCPJQ). 

A5. PCF(S)-TJ3ys(P' a s=S' a F(5)«T*] (or P''CF(§4.T)JP) 

where E' and E" are defined as in Theorem 4. 
AG. (IG/FJQ)CF^JQ (second order assignment). 

An issue we do not resolve here is wither the object 
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inside € } is a program or a concrete representation of it. If 
the latter, then we also need a rule: 

Ab, PCa)Q H PCa'JQ provided a and a' represent the same 
program. 

This axiom system is a good approximation to the one 
proposed by Hoare tl61 • Theorems 1 to 8 provide immediate 
confirmation of its soundness and completeness. Note tNj absence 
of Hoare's "Rules of Consequence" PdQ, QCaJR H PCaJR and 
its backward dual PlaJQ, (bR h PCaJR. Ue achieve its effect by 
using I^a » a*I s a • Then Hoare's Rtries of Consequence can be 
derived from PflJQ, QfaIR H PCNaJR H PfalR , and dually. 

Ue draw the reader's attention to our efforts to separate 
"competence" from "performance" (cf (61) in the above. Uithout 
mentioning axiom systems, we established some properties of 
theories of programs (competence) from which we could readily 
infer the "correctness" of a non-tteterministic system 
(performance, in this case as realized by the given axiom 
system). Ue feel that such a sepv^ation has some merit, and 
would like to see it applied more fre<Hfently in all domwns where 
the dichotomy makes sense, includir^ everyday programming. 

2.3 Regular Programs. 

Ue now consider a larger class of programs by including 
transitive closure as an operation. The reflexive transitive 
closure a* of a is the least x (with respect to c) 
satisfying aUlUxUx«>x = x , which can be shown to be 
U'Ca"|n>0> , where a* = a«a*...*a i times. Ue call 
the closure of the set of assignments and tests imder U, • and * 
the class of regular assignment-and-test programs. The 
connection with flowcharts is as for the loop-free case, except 
that the infinitely many paths that arise when loops are 
permitted are disposed of by using Kleene's transformation of 
such graphs into regular expressions. (Because we have union as 
one of our constructs, permiltir^ non-deterministic programs, the 
obstacle raised by Ashcroft and Manna (31 for directly 
translating (teterministic flowcharts into deterministic 
"structured" programs involving just assignment, composition, 
if-then-else and while-do does not arise here.) 

Ue may summarize the results of this section as follows. 
Regular programs do not in general have as tractable theories as 
loop-free programs. Even when F is completely uninterpreted 
and CI J is r.e., the innocent looking prc^ram IX*-F(X)1* does 
not have an r.e. theory. However, as a sort of consolation 
prize, invariance theories (sets of pea's of the form (P,P)) turn 
out to be well behaved with respect to * . 
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It is easy to find a regular program without an r.e* 
theory. Let € 3q and +1,-1 c 3j (successor and predecessor), 
alt with their standard interpretations on the natural numbers. 
Let a be a program implementii^ MinsKy*s untversai two-counter 
machine [281. Then if Ca} were r.e. , the halting problem could 
be solved by simultaraously running a and tooKif^t in Ca} for 
(P . false) where P says that the counters initially describe 
f^Cx) . This capitalizes on the fact that th(Hq(h pca*s cannot in 
general assert termination, th^y can j^sert non- termination. 

Uhen all function symbols are uninterpreted, Ca) as 
described above is still not r.e., thoi^h to prove tWs takes a 
little more care. The idea is to say enoi^h in the antecedent P 
referred to at>ove to constrain the domain to have a $ut>8tructure 
isomorphic to the natural numbers with md successor. 

The fact that a is a universal program plays an 
important role in these proofs. Thus the f(rtiowing theorem is of 
considerable interest. 

Theorem 16. Let |3q| i 4 , |3j| ^ 3 , \J^\ ^ I , with 
V € 3q , F € 3j . Let the syn*ols of 3 and f (excepting ::=) 
take on all possible interpretations in the imhmrse U . Then 
€I[V-F(V)1*} is not r.e., despite £IJ and ftV*f (V)1J both 

being r.e. 

Corollary 17. Uhen tIJ is r.e., IV^^CV)!* is not recursively 
tidy. 

(After Theorem 24 we will be able to stret^then this by dropping 
"recursively.") 

The proof of Theorem 16 appears to take advantage of the 
fact that F is uninterpreted, by altowii^ m to say "if F were 
interpreted as a single-stepper for a universal macNne, 
then... ." The following lends credence to that view. 

Theorem 18. If :S c P then CtX<-X+ll*J is recursively very tidy. 

Invariance Theories. A sense in which * is tractable 
can be found in the invariance theory of a , written (a) , 
which is faJnlj , the pea's (P,P) that express invariance. 

Theorem 19. (f) = (I> :: I^ . 

Theorem 20. (aUb> = (a)n{b) . 

Theorem 21. (a«b> o <d)-(b) = <a)n(b) . 

This inequality d canrK)t be strengtherad to = even if 
we make a and b tidy or make a«b , as witnessed by 
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a = b » tX<-F(X)]l ynhere F is umnterpreted. For let Q « 
P(X)AVytP(y)3-*>{F(y))] . Then Qfa<*a>Q but not Q<a>Q . 
Compare \hh with the way tidiness ciHne to the rescue in Theorem 
7, An amusing consequence of Theorem 21 is: 

CoroHary 22. For a given program a, ttie structure 

({(a") |n>0>, c) is a homomorph of the natt^al number division 
lattice (N, |) , with fa) as the least element and <I> as 
the greatest. Further, wJ^n a « tK*f{X)l with F uninterpreted , 
the homomorpNsm becon^s m isomcM-ptrism* 

Considering that invariance theories fare less well with 
« than do full theories (as per Theorem 7) ^ we stK>idd not be too 
surprised to find in view of Theorem 16 that invariance theories 
run into difficulties with * as well. This howewr is not the 
case. 

Theorem 23. (a*) « (a> 

Ue can now add to our axiom system: 

A7: PCa)P H P£a*JP . 

i4e note in passing that an apparent limitation of the 
method of proving flowchart programs correct by labelling 
between-instruction points in the flowchart with assertions is 
that the only assertions one can make about loops are invariance 
assertions (in contrast, say, to t>eing able to write PCa^Q in 
Hoare*$ notation). (Ue are again thinking of flowcharts as state 
transition diagrams, i.e. as directed graphs with e<^es labelled 
with instructions.) Theorem 23 strikes an optimistic note of 
sorts by seeming to claim completeness given tNs limitation on 
what one can claim about loops. This completeness is 
unfortunately a mirage, since tlw limitation is a mirage; one can 
in fact make other than invariance assertions about loops by the 
device of having c -transitions (edges labelled with ttie identity 
program I) leading to and from the loop. TNs however d(^s not 
change the fact that Floyd's induction rule for flowchart 
programs [151 cannot t>e stronger than our A7. 

Cook [7] has recently found a situation where Corollary 
15 can be extended to regular programs. The following theorem 
distills a key idea in Cook's proof. 

Theorem 24. (Star Interpolation Theorem), Let a* be tidy, 
with PCa*3R . Then there exists Q satisfying PdQdR and 
QCalQ . (An equivalent statement of the theorem is that if a* 
is tidy, Ca*3 = CI}-<a)oCI} ,) 

(Ue like the name "interpolation theorem** for this 
theorem because of its vague resemblance to the celebrated Craig 
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Interpolation Lemma [81, which states more Or less that if P^R 
is valid then there exists Q such that PdQdR is valid and Q 
contains only predicate symbols common to both P and R . ) 

The significance of this theorem is that to prove PCa*3R 
it suffices to prove QCaJQ for the Q whose existence is 
guaranteed by the interpolation theorem, then infer {Ka*}Q 
(e.g. by our A7), and then use PdQdR and Hoare's Rules of 
Consequence (or our As). CooK has shown that when CI J is 
sufficiently "expressive", as is the case when 0,1, +,x c 3 and 
have their standard interpretations, then all regular programs 
are tidy, allowing the Interpolation Theorem to be applied. 
(CooK actually showed this for what one might call "context-free" 
programs, namely the class of programs with recirsion, which 
translates in our case into the closire of the regiriar prc^rams 
under tte operation of taking fixed poifrts of those first orcter 
functions on programs definable by first-order larrMa 
abstractton.) 

In the following we need the notion of enumeration 

reducibility [301 , written Al B , wNch roughly speaking means 

e 

that given an enumeration of B , A can be effectively 

enumerated. Thus if As B and B is r.e. \hen A is r.e. • 

e 

Corollary 25. When ail regular programs 9^t tidy, €aJ£^CI3. 

Corollary 26. Under the conditions of Theorem 18, if CI J is r.e. 
then CV^(V)1* is not tidy. 

Ue remark in passing that programs such as operating 
systems that are intended to run forever can be handled quite 
elegantly using * . At first tWs seems impossible since a 
program that rmyer terminates is semanticiMy equh/irient to the 
empty program, for which all pea's hold. In<teed, when we 
translate the program 

while true do a 
into 

(ttrue3*>a)*oOalse1 
we immediately observe Ifalsel = f and x»f = f . However, if 
we simply remove the offending "-Ifalsel" , we are left with a 
program that simplifies to a* . Then PCa*JQ tells us that if 
at some time during the running of the program (e.g. at start-up 
time) P held, then after every execution of a , no matter how 
long this continues, Q will hold. Thus althoi^h we were unable 
to use the theory of the original pr<^ram, it beir^ IP , the 
theory of a closely related program furnished us with precisely 
the information we required- This is a good example of how 
Floyd-Hoare logic can be more usefi4 than might at first appear. 
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3» Extensions « 

The theory of sections 1 and 2 is based on quite 
simplistic notions of program (binary relation on states) and 
theory (binary relation on formulM). Dealing with other program 
constructs than union » composition and reflexive transitive 
closure may not always be possible in tNs framework. Ue explore 
this in section 3.1 as the definability problem* For exampte> 
the notions of concurrent process, biocK structure, and 
call-by-name, seem not to be ctefinable for binary-relation 
programs. Ue broaden the usual notion of ** mathematical 
semantics" as **I/0 semantics" to etid^race a vw'iety of notions of 
"abstract program.** In section 3.2 we look at orw approach to 
the problem of extendir^ the descriptive adequacy of Floyd-Hoare 
logics, which is handicapped by its ability to be oiriy m\ upper 
bound (with respect to inclusion) <^ programs. 

3.1 A Program Hierarchy 

In this section we cease to identify programs with binary 
relations on states, for we wilt be consicterii^ a hierarchy of 7 
kinds of programs. In order of decreasing information, this 
hierarchy is 

(i) Grammars (PernMts finite programs) 

(ii) Languages (Permits sopNsticated control) 

(iii) *-ary relations (Permits paratielism) 

(iv) Multiweighted binary relations 

(Preserves complexity information) 

(v) Ueighted binary relations (Ditto) 

(vi) Binary relations (Preserves I/O information) 

(vii) States (Preserves termination information) 

This hierarchy is not intended as some hard-and-fast 
structure, but rather as some interesting points in the partial 
ordering (by information content) of varieties of programs. The 
following is also not meant to be so much prescriptive as 
descriptive, and we will often use "might be" in place of "Is." 

Let us begin with grammars. To motivate this, we can 
start with the following program for computing factorial (X) . 

A:=l; while X>0 do begin A:gXxA; Xj=X-l end. 

This program serves to control a processor that emits a string of 
instructions. As such it serves the same function as a grammar. 
While this program may not look much tike a grammar, if we 
rewrite it as a regular expression with alphabet Z (the set of 
tests and assignments of section 2) , we might have 

A4-1;(X>0; A^XxA; X^-X-l)*; XsO 

as the regular expression generating all possible execution 
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sequences, where we have written x for concatenation. Another 
way to generate this set is with a finite-state transition 
diagram, which would be a flowchart prt^ram of sorts, though with 
tlie usual roles of edges and vertices interchanged. See R. 
Karp's Ph.D. thesis 117] for an ewly exwnple of IWs 
state-transition style of flowchart. Context-free grammars can 
of course be used for parameter-less recursion tlO, 11]. 

From grammars we move to the languages they generate. 
The usual operations of union, corKatenatton and Kleene closure 
apply here. Otherwise there is iiftle to say about them at this 
point. 

To get from languages to *'9ry relations we need Etgot*s 
114] notion of fusion product. Let R,S be two binary 
relations. Take their fusion product to be <(a,b,c) |aRbSc> . 
The result is a 3-ary relation. Fimion fH'oduct gerwralizes to 
relations of arbitrary arity. Ue define a *-ary relation to be a 
set of K-tuptes (for various K^l) over some domain, call it U 
since our application is to the dom«n of states. Let R and S 
be two *-ary relations. Then their fusion product R»S is 
<(a,b,.. . ,c,d,e,. .. ,f,g) t (a,b,... ,c,d)€R a (d,e,.. . ,f,g)€S>. 
The union of *-ary relations is defined in the obvious way. 
This system is a semi-ring (ring with no acklitive inverses) [2,4] 
with addition operator U and multiplication operator • . The 
reflexive transitive closure of R is defined, as for any 
semi-ring, as the (necessarily unique) least fixpoint of 
Ax.RUIUxU(x'x) . (Here x is least when xUf»f for any 
fixpoint f . ) Ue call tt^ elements of a *-ary relation a path. 
each k-tuple being a path of length k-1 . This generalizes the 
notion of transition used earlier in that the intermediate states 
are recorded as well as the initial and final states. 

The map from languages to *-ary relations is defined with 
the help of the function t 1 , defined in section 1 for tests 
and assignments (perhaps varied for tests so that it maps P to 
^P). Extend C 3 to strings by letting it map concatenation to 
fusion product; thus if acZ* and |a| » n , Eal will be an 
(n+l)-ary relation. If |a| = , take Cal to be U , the 
set of all states, a unary relation. Extend C 3 to sets of 
strings completely additively, so that for any set of strings L , 
finite or infinite, IUL3 = UlL3 . This completes the definition 
of C 3 . A useful theorem is that C 3 takes Kleerm closure to 
transitive closure, which follows from the complete additivity of 
K 3 . 

Ue now throw away the names of the intermediates states 
in the paths and consider just the path lengths. Thus the 
(n+1) -tuple (a,...,b) becomes the triple (a,n,b) • Ue call a 
set of such triples multi weighted binary relations; each 
transition (a,b) has a set of weights; each such weight w 
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corresponds to an element (a^w^b) in the multiweighted relation. 
The intuition is that the weights represent the costs of the 
possible transitions from a to b. In the variation where CPI 
is taken to be NP , only assignments enter into this accounting. 

In the cost function, only one weight is associated with 

each transition. Thus the cost function corresponding to the 

2 

multiweighted binary relation R is a function from U to 

NU<«)> which maps (a,b) to the least n such that (a,n,b) is 
in R , or to 09 if there is no such n. The intuition is that 
this function gives the fastest way of getting from a to b. 

By composing the cost function with the function that 

maps 09 to and everything else to 1, we get a function from 

2 
U to -C0,1> that can be considered to be a binary 

relation in the usual way. Ue have reached the binary relations 

that we used in sections 1 and 2. 

Finally, by projecting a binary relation onto its first 
coordinate, we get the domain of that relation, namely those 
states that lead to a final state. This supplies enough 
information to discuss termination without getting specific as to 
what state the program terminates in. 

There is an interesting trade-off here between 
definability and describability. As one moves down the 
hierarchy, programs become more describable, but operations on 
programs become less definable. The reason Floyd-Hoare theories 
describe type (vi) programs easily is because these are so low in 
the hierarchy." A theory of termination applied to type (vii) 
programs is even easier; the set of initial states that lead to a 
final state can be described with formulae in £., with 

truth defined via unary N as usual. On the other hand, there 
are almost no proposals in the literature for languages suitable 
for describing programs of types (i)-(v), other than in the 
trivial sense in which they describe the information in the 
program preserved in the transition to level (vi). An exception 
is Kroeger's t21] notion of "thickness," capturing running 
time; this appears explicitly in his modal language, but no 
formal semantics analogous to (2) of our section 1.1 or (3) in 
1.2 is given in [21], and it is not clear to us how to construct 
such a semantics based on our level (v). This level is of 
particular interest because it incorporates the minimum 
information needed to describe the running time complexity of a 
program. 

In considering definability we will start with 
determinism and totality, then turn to other operations. The 
notions of determinism and totality depend on which kind of 
program one is discussing. For example, if we are discussing 
level (vi) programs, then a deterministic program would be a 
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function. Ue call this 6*determint5m to correspond to level 
(vi), or more mnemonically and independently of our particular 
hierarchy, IO-(tetermint$m (for input /output). At level (vii) 
determinism is not definable. A reasonabte definition of a 
G-deterministic (level (i) > G for Grammar) program written as a 
flowchart (directed graph) might t>e that it satisfies: 

(a) all final nodes are leaves (Ue. have out-degree 0), and 

(b) if there exist distinct e<^e$ (w,u), (w,v) then they are 
labelled with tests not simultaneously satisfiable. 

Alternatively one could frame the same condition in terms 
of domains of the instructions labetltng edges: 

(a) if u is final, all edges (u,v) have empty domains; 

(b) distinct edges (w,u), (w,v) have ifojoint domains. 

To define 2-determini5m (or L-determinism) , it t)elp$ to 
have the notion of the prefix tree of a Iwigu^e. For LcS* , 
let w'L t>e <wcZ*|3acZ[wa€Ll>, the immediate i»r»fixes of L, and 
let ir^ be the least L* satisfying 
LuL'UirL' - L* , 

the prefixes of L . Then the prefix tree of L is the directed 
graph T(L) = (»*L, <(irw,w)|wcir*L» . (Recall 
that graphs are presented as (Y,E) where V is the vertex set and 
E the edge set.) Consider the edge (w,wa) (for a€l) to be 
labelled a . Call those vertices of T(L) that are in L final. 
Clearly alt leaves are final, but {he converse does not 
necessarily obtain. 

A program represented as a language has such a prefix 
tree, which is the non-deterministic non*total analogue of 
decision trees 129] . Such a tree can be executed by starting at 
the root (guaranteed to exist when the language is non--empty) and 
following a path along which no tests evaluate to false. Halting 
is permitted only at final nodes. Since we have produced from L 
a (possibly infinite) state transition diagram that generates L, 
we have an object to wNch we can apply whatever definition we 
used for G-determinism to this graph. Hence we can say that a 
program is L-deterministic just when tt» prefix tree of the 
language representation of the program is G-deterministic. 

Totality is definable at all levels. Extending our 
notion of k-determinism in the obvious way, 7-totality (or 
D-totality) simply means that \he domain is alt of the universe 
U. For 3<K<6, k-totality seems best ctefined as 0-totatity, 
whereas G-totality should be a syntactic notion that for a 
flowchart would say that for every non-finirf vertex w there 
should exist either an assignment edge (w,u) , or a set of edges 
<{w,U|) ,. . . (w,u. )> whose labels are tests such that 

PjV...vP. is satisfiable. Alternatively, we could simply 
require that for every non-final vertex w there exists a set of 
edges -CfWjUj) ,. . • (w,u. )> the union of whose domains is U. 
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Both these definitions are clearly stronger than D-totality. For 
L-totality we can do as we did for L-determinism, namely apply 
the definition of G-totality to the prefix tree of the language 
representation of the program. 

Ue now consider which other operations on programs are 
definable at a given level. The less information in a program, 
the fewer operations that can be defined. The operation of union 
is ubiquitous, applying to all types of programs. Composition 
applies to all but the last. An interesting programming language 
construct I have not seen proposed before is "fastest (a)" which 
computes a by the fastest possible method, in the sense that if 
there is more than one way to execute the program a, as there 
may be in a nondeterministic system, then the fastest should be 
chosen. This operation is not definable beyond type (iv) . An 
operation useful in operating systems is that of merge (or 
shuffle) , which forms all possible order- preserving merges of 
the strings of its two arguments. This operation does not seem 
to be definable beyond type (ii). Recursion is definable at 
level (vi) [101. In a program with recursion and block 
structure, if each new activation of a variable is regarded as in 
fact being a new variable (calling for a more sophisticated 
grammar than a context-free one if the definition is to be 
performed at level (i) , e.g. indexed grammars [1]), then the 
concept of block structure is not definable beyond type (ii). 
Call-by-value can be captured at level (ii) by combining block 
structure with assignment, but call-by-reference seems to call 
for either a very complex language (i.e. at level (i) a very 
powerful grammar) or for a different kind of assignment from the 
one we have been using, one that can interpret references. Once 
call-by-reference is provided for, call-by-name can be handled in 
imitation of the classic method of "Ihunks," but it too seems 
not definable beyond level (ii). (It should be pointed out that 
"is definable" means roughly "makes sense," and does not at 
present have a better defined meaning.) 

Uhen the restriction of the homomorphism from type i to 
type j programs to a class C of type i programs is an 
isomorphism, we call C an i-»i-preserving class. A program in 
such a class contains no information that cannot be reconstructed 
from its type j counterpart, at least for the purpose of 
distinguishing it from other programs in C . Knuth [191 
(problem 1.2.1-13) describes a transformation on programs that 
precedes every basic instruction by "Tf-T+l" where T is a new 
variable- This transformation yields a program (i) whose type B 
version is in a 5-*B-preserving class, and (ii) whose type B 
version is identical to the type B version of the unmodified 
program to within the effect on T . The importance of this 
transformation is that in the transformed program the timing 
information is not lost in the transition from type 5 to type 6 . 
Hence a pea, which ostensibly only describes type 6 programs, can 
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in effect describe type 5 programs. Since pea's only supply 
upper bounds on programs, this method requires some independent 
guarantee of termination. Luckham and Suzuki [221 develop this 
idea further; it appears that tMs guarantee has to come in the 
interpretation of the pea. They treat tNs as an application of 
the "law of the excluded middle." 

3.2 Modal Logic 

In this section we will look briefly at an alternative to 
Floyd-Hoare logic for describing programs, namely modal logic, a 
significant advantage of which is that it allows one to talk 
about correctness and termination in the same first-order 
language. (As might be guessed from section 1, we now need to 
return to our convention that programs are binary relations.) 
Part of this work was done jointly with R. Moore in 1974 [271 . A 
similar proposal has been briefly sketched by Burstali [5] , who 
suggests that the classical modal logic S5 may be used to discuss 
correctness and termination simultaneously. Considering that S5 
logics are those whose modalities have equivalence relations for 
their interpretations, we may infer that either Bi^rstsdl was on 
the right track but had not developed ttw i<tea to the point where 
S5 could be seen to be inappropriate, or had a consicterably 
different idea from us of how modal logic was to be applied to 
the problem. Schwarz 1331 has developed Burstali' s worK further, 
with a definite commitment to 55. Kroeger [211 has also proposed 
a modal approach to the logic of programs, in considerably more 
detail than Burstali, and with a concern for l=-$emantics equal to 
ours. A major difference between our approach and Kroeger 's is 
that where we regard programs as (interpretations of) modalities 
(unary logical connectives) , Kroeger regards them as 
propositional variables, and has only one (program-independent) 
modality. Both systems represent interesting applications of 
modal logic » though the conrmction of ours with conventional 
first-order predicate calculus is more readily established 
through our program-oriented semantics of 3x. 



Recall from section 1.1 the interpretations of [alP and 
<a>P . Under these interpretations the following formulae are 

visibly valid: 

[X^llXxl 

<X<-l >true 

[X>01X>0 

Y>0 D [X>01Y>0 

X=0 D <X=0>true 

<c* >true 

X>0 D <(X^X-1)*>X=0 

These particular valid formulae generalize in some 
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obvious ways, which we can call axioms. 

Logical Axioms 

All tautologies of Prof>ositional Calculus. 

taKPoQ) o UalP o CalQ) . 

Logical Inference Rules 

P, PoQh Q . 

P H talP (subsumes P h YxP ). 

Some theorems that follow from these axioii^ are; 

lai (PaQ) 5 la] Pa CalQ . 
<a>(P\/Q) E <a>Pv<a>Q . 
<a>(PAQ) D (<a>PA<a>Q) , 
[alP D (<a>Q D <a>(P/sa)) . 
taKPDQ) 3 {<a>PD<a>QJ . 

Axioms for Basic Programs 

VxP D tT/x]P (any T c £j ) Universal Axiom. 

P D VxP unless xcP V Frame Axiom, 

where xcA(B) 5 A/3x a (A^x v xcB) (free occurrences). 
[P)Q 5 PdQ " " Test Axiom. 

[F(S)*-T]P 5 [IF Z»S THEN T ELSE F(Z)/F(J)1P Assignment Axiom. 
(Here IF-TKEN-ELSE is removed as in Theorem 4.) 

The two quantification axioms assert that *'x4flAIC01" 
can change the value of x to anything, and that mthing but x 
gets changed. Note the departure from conventional logic, where 
both these axioms would be regar<fod as logical axioms. Because 
particular programs are non-logical for us in ttw same sense that 
the particular function denoted by + is consi<fored non-logical 
in conventional logic, and because 3x denotes a particular 
program (x*-RAfC0f1) , we prefer to tNnk of axioms involving 3x as 
non-logical. 

The logical axiom [al (PdQ) d ([a]PD[a]Q) and the 
non-logical V Frame Axiom are combined in Mendelsohn's (25] 
system K as Vx(PdQ) d (P^VxQ) unless x€P . Despite the 
elegance of such a compression, we feel ttiere is some intrinsic 
merit in our separation. 

Sample theorems that follow from these axioms are: 

Tests 

(PJP Theorem of Intent. 

Qd(P)Q Theorem of Invariance. 

P3<P >true Tfworem of Performance. 

Assignments 

s=SAt«T D [F(S)-T]F(s)«t ti^F^S; Theorem of Intent. 
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(P A y^FlS) A s=S) o 

[F{S)-TriIF Z-I THEN y aSE F(J)/F(J)1P 

Theorem of Invariance. 
<F(S)*-T>lrue Theorem of PerformarKe. 

The reader familiar with predicate catcdus witi 
recognize in the logical axioms and rules » tc^ether with the 
two quantification axioms, a sound conr^ete axiom system for the 
pure predicate calculus, wtitch we can r^ard as a lar^uage for 
talking about "assignment* programs of the form x«4?AWX)H . This 
prompts the question, is the axiom system we have given sound and 
complete when £ is extended to include test and assignment 
modalities? This is easily answered in the affirmative, simply 
because ttie axioms for assignments and tests involve a direct 
equivalence with a formula not involving the command, unlike the 
axioms for quantifiers. The absence of such an equivalence for 
3x considerably complicates the completeness proof; fortunately 
for us, this difficult problem was solved lor^ ^o. Hith such an 
equivalence, we know that the left side of the e<Hnvalence is 
provable if and only if the right siete is. Since the right side 
does not involve assignment or test modalities, it is provable if 
and only if it is valid, since our axiomatixation of the pure 
predicate calculus is sound and complete. Finally, the right 
side is valid if and only if the left side is, by Theorems 3 and 
4. Hence for any test or assignment a , [alP is provable if 
and only if it is valid. 

I4e now expand the system to include finite union and 
composition. The following are obvious corollaries of Theorems G 
and 7. 

(aUblP 5 [alP A Ib]P Union Axiom. 

la-^blP 2 ta] tb]P Composition Axiom. 

All of the above axioms have already been established as 
theorems in Section 2. If a is some loop-free program, the 
axioms "specify" a series of transformations of lalP that 
terminates with a formula of £j . This says much the 
same as Corollary 15. It also allows us to prove, by induction 
on the height of programs, that these axioms keep the system 
sound and complete even when t is alimented with modalities 
involving U and « . 

To deal with * , we have: 

<a">P 3 <a*>P Axioms of Intent. 

P3ta)P 1- PD[a*]P Rule of Invariance. 

[N+l/NlP 3 <a>P f- P 3 <a*>[0/N]P Rule of Performance. 

In the Axioms of Intent for * , n is a meta-variable 
giving one axiom per natural number. In the Rule of Performance, 
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N is in 3q , and we require in 3q ami +1 (successor) in 

9^ . Besides » in the assignment axiom for non-zero arities^ 

this is the only rule (or axiom) requiring non-logical symt>ols» 
and then only when NcP . 

A word of caution is in order here about replacing H by 
D in the Rule of Invariance for * . The meaning of (PDlalP) 3 
(PD[a*lP) is that for any state 3 , if PoCalP holds in^ then 
so does PDCa*]P • A counter-example to tNs wouid be when P is 
X<10 , a is tX«-X+ll and S satisfies X«0 . "Running" a once 
in this state will certirinly preserve P , but runnir^ it ten or 
more times will not. A similar warning holds for the Flule of 
Performance for * , even if we rephrase it as the rule 
VnlP(n+l)D<a>P(n)J h P(T) o <a*>P(0) . In this case one 
counter-example wouid l>e to make 3 satisfy Xa2AY«l , and to 
take P(n) to be X=n and a to be X*-X-YoYM) . Then in 3 the 
antecedent holds, but after running a once, X can no longer 
decrease, and will thereafter remain stuck at 1 . 

To see these rules in action, we may show with their help 
that the following program halts wten XiO initially. 

(X/0 • Xf-X-l • Y-Y+D* • X«0 • 
Y*-Y-l o 

(Y/0 o Y^Y-1 o X*-X+l)« • Y=0)* • 
X=0 

hanna and Pnueli (24] have proved that this program 
halted, claiming that such a proof by Floyd's method of 
demonstrating termination tlSl , namely showing that traversing 
any loop decreased some welt-founded quantity, wouid be very 
complicated. They proposed another approach. Our modal logic 
approach supplies yet another first-order approach with the added 
advantage that it has an elegant semantical basis. 

If we permit program fTK)dalities in tests, we are in 
effect allowing behavior conditional on "what might have been," 
that is, on properties of hypothetical worlds accessed by 
programs that leave behind no side effects after the test. This 
gives us a quite simple foundation for the semantics of languages 
like PLAN^ER and CONN IYER, where such exploratory tests are 
possible. 

4. Appendix 

Alt theorems are re-stated here and proved if necessary. 

Tidiness Duality Lemma (TtL): Program a is forward tidy if 
and only if a" is backward tidy. 
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Proof, a forward tJdy s VP3Q(Q3lalP) 

5 VP3Q(Qa-.<a>-.P) 

z VP3Q(Qs<a>P» -iP » P 

5 VP3Q(Q»<a— >P) 

i i~ backward tidy. | 

Tidiness Characterization Lemma (TCL) : 

(a) Let a be forward tidy. Then Ca) « 1as>)>€n . 

(b) Let b be backward tidy. Then fb} - CI)-(<«b) . 

Proof. 

(b) PCbJR s P D {b]R 

o VQ(Qi(b]R 3 P3Q) 

o 3Q(PfI}Q A Q(<«b)m (83),Th2 

s P(CI}*(<>b))R 

3Q(PCI}Q A Q(<rb)R) 3 3Q(P3Q /\Qs[blR) (BV)Jh2 

D P D tblR 



Hence PCblR 


s 


P(ClJ-(<=bnR 




(a) ta} 




-CaJ- 


(D) 






-.(tl).(<-a-)- 


(b) , (TOL) 






i({<-a-)--Cir) 








-.t<»a-)- • -.CI3- 








(a«>).CI} 


(0) 1 


Theorem 1. Cf 3 = £? . 









Proof . lP|s(P,Q) is true vacuously. | 

Theorem 2. CIJ « <(P,Q) |1*:(PdQ)> . 

Proof. CI) » <(P,Q)|(d,|)€l 3 (flW D JW)> (by (F)) 

= t(P,Q)|5cU o (*P D *Q)> <def. of I) 

= <{P,Q)|acU D *(PdQ)> (by (D) 
» {(P,Q)|UN(P3Q)> I 

Theorem 3. Let R be a test. 

(a) <a:Rl~>P s RaP . (Forward tidiness) 

(b) [CRIIP 3 RsP . (Backward tidiness) 

Proof 

(a) It suffices to prove that 3fr=<tRJ">P s *(RaP) . 

3^<l[Rr>P 3 V J)=P 

3 ^R A ^P 
3 3)=(RaP) 

(b) tIRIlP s i<|[R]l>-.P 

3 -i(Ra-^) (using (a), and ERl « CR]~) 
s R3P I 
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IF lemma > Evaluating dlrll when W is a formula containing 
IF-terms yields the same truth value whether IF is first 
removed by the above transformations or left in place and 
evaluated using 

^(IF P THEN S ELSE T) « if 3t=P then *S else 3NT. 

Proofs Straightforward, (Use induction on depth of IF-terms.) | 

Theorem 4. Let F{g)«-T be an assignment. 

(a) . <CF(S)^Tr>P 3 3y£{P* /s£«S* aF(£)-T'1 

^re £• « ((IF J«£ T?€N y ELSE F(J))/F(J)1E 

(b) tCF(S)-TllP £ P" 

wh^re E" » ((IF J^ THEN T aSE F(J))/F(ZME • 

Proof, 

(a) i4e first prove the aging temma. 

Aging Lemma. Suppose A^ « A^ for all symbols A^ , and 
f^l)() « Fj(3^)for ail jf^^s^ , mnd F^^SjJ * ^< • Then 
«=A(B) « 3M(8)' . 

Proof. By induction on the height of A(g). Assume 3^ « l*=B' 

Case (i) . AsF. 

Subcase (a) » ^g / s^ . 

*F(B) = f^ie^) 

« Fj{}l=B') (3N6»«S|, ind. hyp.) 

«3»=F(8*) 

= ^ (IF B'liEs THEN F(|') ELSE x) 

(}»=|'"« *S^s^ , IF lemma) 
= 3*=F(gr (def. of ') 

Subcase (b) , J=B » $^ : 



*F{B) . F^t^B) 




-FdV 


(given) 


w 9 

"1 


(given) 


- J>:(IF B' 


is THEN F(g') ELSE x) 


T|N&'«aB&«ij, IF temma) 


.JI=F{|)' 


(def. of '). 


Case (ii) , As3x. 




Cf. case (ii) of 4(b). 




Case (iii), Other A. 




a*=A(B) = A^t^N^) 




= Aj(JI=B') 


(AhbA^, ind. tiyp.) 


- JM(S') 




«^NA(|)' 


(def. of ') 
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Aging corollary 1. If 3CF(|}4.TJ}, *F(g) « x^ and *g « s^, 
then dNA(g) «. |»=A(B)' . 

Aging corollary 2. Given ^ , if d is 

XB.if B^ then B^ 



else X^.if ft^^ then ^*^)0 



elsexj 



then dNA(g) « |l=A(g)' 



Transition existence lemma. Given | , if S is •$ in ttie 

previous corollary, s^ » Jl«§' , and P<^S,«J ■ I^^T' , then 

^F(S)«-T13 . (That is, constructif^ $ from | in this way 

guarantees a transition from 3 [o i via [F(g)4-T] .) 

Proof . By aging corollary 2 we have s^ > ^§, , and 

Fj(3N|) « a=T . 

Then 3EF(S)*-T] - XA.if A^ then A^ 

else Xx.if *id^ then F^fx) 
else 3^1 
= XA.if Mf then A^ 

else Xx.if x^*S then F^M 
"else Fj(3NS) 
(def. of 3 , S| » *S , F|(at=S) ^ a»=T> 
= XA.if A/F then A^ else Xx.F^(x) 
= XA.if A/F then A^ else F^ {f-reduction) 



An. Arf 



(f-reduction) . 



Ue can now complete the proof of Theorem 4(al. It 
suffices to show that 

|N<IF(§)«-Tr>P s IHxsCP' A s»^' A F(s) = T'l. 
Now L.H.S, s ISiSfP a dIFt|).-Tl|] 

s 3d[^P A «F(|)«.T1J A F|(a»=S) - 5NT1 

(third conjunct implied by second by def. of [F(g)«-T]) 

s 3x^^(U=P' A ij=J»=S' A Fj(sj) ' ikTl 

{:>'. take x^=dt:F(S), s^^^S. c: take 3 as in a.c.2) 

s JHxsIP' A s-l' A F(^) » T'l . 

The preceding lemmas make it straightforward to verify each 
step. 

(b) It suffices to show that for all 3 » 

3»=P 3 3I=P* 
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where i ■ X^.XA.if A^F then Aj 

else Xi.\i £ ^ ^ then A^(s) 

else dNT . 
and E' - [IF Z«S THEN T aSE F(Z)/F(JUE . 

Ue proceed by induction on the height of P « A(g) . 
Ue take as our induction hypothesis; 
Vyc3Q-{F>(3"»y3 a 3"tF(g)«.Tl|" a |"H» . a"W") 
where d^^i means that $ md i differ only [n their 
assignment to y . 

^ase (i) . AsF. 
JJ=F(g) = Fj(|»:S) 

« if *|* . *§ then »T else F^(^') 
. *nFft' - § THEN raSE F<|')) 

- *f(|r . 

Case (ii). A«3x. 
Jts3xP s J>:3yIy/xlP («-reductlon) 
» 3r(|"-yi A J"^ty/xlP) 
s 33"(d"»y3 A 5"N{ly/xJP)') 
s *3y(ay/x]P)') 
s *(3xP)' . 

Case (iii). Other A. 
JI=A(B) « AjdM) 
= A^(3»=|') 

« *!A(B') 

- d^A(B)' . I 

Theorem 5. Let F«-G be a second-order assignment. Then 

ItF^IlP = CG/FJP 
([G/F3 is a convenient abbreviation for [G(^)/F(p].) 
Hence second-order assignment is backward tidy. 

Proof. Essentially the same as for Theorem 4(b). 

Theorem 6. CaUb3 a Ca3nCb} , 

Proof. PCaUb)Q 

5 Vd|(3(aUb)| 3 {d,i)¥{P,Q)) 

s VdJUdal V SbV 3 (3,|)N(P,Q)) 

s V3|((3a| 3 I5,J)N(P,Q)) A (db| d (3,|)N(P,Q) )) 

s PCa}Q A P(b)Q 

s P(Ca}n£b))Q . I 

Theorem 7A. Ca°bl 3 Ca}<>Cb} . 
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Proof, P£a3o€bJR 

s 3QV63K((aa| o {$,^)k{P,Q)) a (JbK o (J,K)h(Q,R))) 

:> 3QV3|K((3a| a |bK) d <(5,|)I=(P,Q) a (1,K)N(Q,R))) 

D 3aVd3K(3a|bK D (5,K)k{P,R)) 

5 V3^K{3(a*b)K 3 «,K)N(P,R)) 

s Pfa*b3R . I 

Theorem 7. Ca«»bJ = Ca3»Cb3 when a 1$ forward tidy or b 
is backward tidy« 

Proof, It suffices to show €a<»bJ c €a}*Cb} . 

iz) PCa-b3R 

s VaK(d(aob)K D W,K)*:(P,R)) 

s VJK03(3a|bK A *P) D K»=R) 

5 V3K(JbK D l3Sl$ai A *P) D KI=R)) 

3 V|K (|bK 3 (|t^<a">P 3 KW?) ) 

H <a">PCb3R 

2 PCa3<a">PCb3R since PCaJ<a"'>P 

3 P(Ca3»Cb3)R I 

Theorem 8. 

(a) If a,b are forward tidy, so are aUb and a«b ; 

(b) If a,b are backward tidy» so wre aUb and a*b . 

Proof, 

U) <(aUb)~>P 5 <a"Ub">P 

s <a"'>Pv<b~>P 

s QvR where Qs<a">P and Rs<b">P. 

<(a»b)">P = <b"»a">P 

= <b"><a">P 

s <b">Q where Q3<a">P 

s R where Rs<b">Q, 

(b) taUblP = lalPAlblP 

s QaR where QstalP and R=[b]P. 

[a^blP s [a][blP 

£ [a]Q where Qs{b]P 

3 R where RstalQ. I 



Corollary 9, All loop-free assignment-and-test programs are very 
tidy (possibly excepting forward tidiness for second order 
assignment). 

Proof, Use induction on the height of a program, together with 
Theorems 1-8. | 

In the following few theorems , a useful result is: 

Lemma D. {a3 <_ fa"3 . 
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Proofs faJ = -iCa"3" (0) 

^^ Ca"J by the obvious calculation. | 

Ue note also that TO. can be strengthened to inctucte the 
word "recursively" before every occurrence o« "tWy." If f is 
the recursive tidiness function of a then the cfcial tidiness 
function g of a" is defined by g(P) » nf(-iP) . 

Theorem 10. £aUb3 s^ Ca3xCb3 (Cartesian product) . 

Proof., f aUbJ « f a}nCb) Th 6 

S^ falxfb} I 

Theorem 11. 

(a) If a is forward recursively tidy, Ca»bJ S CbJ • 

m 

<b) If b is backward reci^slvely tidy, Ca-bl s^ Ca) . 

Ill 



Proof. 




(a) C«.b) M Ca}-fb} 


Th 7 


« («»>}>CI}-Cb} 


Ta 


a (a.>)-CI-b} 


Th 7 


- (a.>)-CbJ 




Hence to test Pla-bW it suffices to calculate the Q 


satisfying P(a->)Q and test QCbW. 




(b) Ca-bJ i £b--a-J 

m 


Lemma D 


i Cb-| 


Th Ufa) 


s Cb) 


Lemma D. 



Theorem 12. If a is recursively tidy, CaJ 1 CI J 

m 

Proof 

ta) If a is forward recursively tidy, 

€a} » Ca«I3 

1^ CI3 Th 11(a). 



(b) Uhen a is backward recursively tidy, 

CaJ i^ Ca"J Lemma D 

5„ CI} TDL, 12(a). I 

Theorem 13. Instructions are recursively very tidy. 

Proof. The strongest consequents and weakest antecedents given 
by Theorems 3 and 4 are easily calculated. | 

Theorem 14. If a,b are forward (backward) recursively tidy, so 
are aUb and a»b , 

Proof* In all four cases of Theorem 8, the desired weakest 
antecedents and strongest consequents are easily calculated. | 
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Corollary 15. If a j$ a loop-ffM •ssignment-and-test program, 
faJs fI3 . 

(Note that CIJ" « CI}xCI}x..«xfI} 5^ fIJ , for any n, since the 

n questions about membersNp in CIJ can be rephrased as i single 
conjunction. ) 

Proof. This foltows by induction on the height of a program/ 
using Theorems 10-14. I 

Theorem 16. Let |3q| Z 4 , 13j| ^ 3 , \3j] i 1 , with 
V € 3q, F £ 3j . Let the symbols of 3 and 9 (excepting =) 
take on all possible interpretations in the universe U . Then 
CCV^F(V)1*} is not r.e., despite CIl and ttV^(V)ll both 
being r.e. 

Proof. The idea is to make V enco<fe the contents of the two 
registers and the "program-counter" of a univers;^ register 
machine p (presented as a directed graph, one ec^e-traversal of 
p corresponding to om application of F to V) • The basic 
instructions labelling the edges of the graph wilt be X«-X*i-1, 
X-X-1, X=0, Xi^O, Y^Y+1, Y«-Y-l, Y«0, Y40. (See ttinsky 12B1 
for a description of such a machine.) To define the program 
counter y we number the vertices of p with cKstinct natural 
numbers; the choice of numbers is unimportant. Let p*s start 
vertex be numbered s and final vertex f . Ue assume without 
loss of generality that leaving each vertex v of p is either 
an assignment edge or a pair of edges labelled with complementary 
assignments (X=0, X/0 or Y=0, Y^O) . (If necessary, add 
edges labelled X=0 and X^O from f to f.) Now p may run for 
ever, and halting will be ctefined by reaching state f , where it 
then is forced to stay. It is important that where control goes 
next be completely specified for every vertex, ottwrwise F may 
take V to a value that damages our theorem. Another property we 
shall require of p is that it newer attempt to decrement a zero 
register, which is easily arranged. Ue shall also require that 
when p has macte up its mind to enter the final state, it sets 
X and Y to first. 

The 3-ary function symbol C is used to encocte X,Y and 
the program counter. The following is the only property C 
needs tb work reliably as an encoder, 

VxxtC{x) = C(x) 3 x=]tl . 

Call this sentence Pp . It says that encoding is 1-1 , i.e. 
does not lose information. 

Ue also want to say that 0, U and D are supposed to 
behave similarly to standard 0, successor and predecessor. Ue 
let P|^ denote 
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Vx[U<x)^0 A 0(U(x)) - xl . 



Ue now force F to execute one step of p . Ue let 
Pp denote the and of a set of sentences, one per ec^e of p , 
whose elements are defined by the foHowtng tM>le» where ij 
denote the numbers labelKng the stert and end of the 
corresponding edge. 



Instruction on edge (i.i) . CcN-respondtng sentence 



X^X+1 VxyCFfCfx ,y, [f{0))) « C(U(x) ,y,Ul(0) )] 

X^X-l VxytF(C(U(x},y. U*{0))) » C<x ,y,UMO))J 

X=0 VytFfCfO ,y, iflU))) . C(0 ,y,ui(0))l 

Xi^O VxytF{C<U(x),y, l/lO))) = C(U(x),y,lP(Oni 



and similarly for Y . 

Claim 1, Given any interpretation S satisfying P^ , in which 

all symbols save F are assigned interpretations, let N denote 

<*U"(0)|n^O> and let t1 denote <*U"(0) | m labels a vertex 

of p> . Thus N is that subset of reachable via 

U^ from 0^ , and f1 is that subset of D corre^^mding to the 

vertices of the flowchart. Then \b9 aribove td^e consistently and 

completely determines F^(C^(x,y,z)) for all x,y c N and 

z c n , except when ("z^i) is labelled with X«-X-l , in which 

case it is undetermined when x » 0^ » and similarly for 

Y^-Y-l . ("z" is the necessarily uniqw natural number satisfying 

U^^"(0^)=z J 

Proof. Completeness follows from the fact that every vertex 
labelled "i" has either an assignment leaving it, or a pair of 
tests. In the former case F^{C^(x,y,i)) is completely 
specified except for the decrement instructions. In the latter 
case, F^(C^(0,y,i)) is specified, as is F^(C^(U(x),y,i)) , 
accounting for alt elements of N . Consistewy follows from 
Pq and P^ which together ensure that each of the 
above equations specifies F^ at a different elenwnt of the 
domain. | 

Claim 2. If x,ycN and zcM then F^(C^{x,y,z)) « C^(a,b,c) 
where, if p is started with "control" at vertex "z" and X,Y 
contain "x","y" respectively, then running p for one step 
yields "a" in X and "b" in Y , with control at vertex "c" , 

Proof. Straightforward. I 
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Now assume that CIV*4^(V)1*J is r.e. Then we can 
decide whether p started with i in register X and in 
register Y will ever halt» thereby solving the halting problem 
for this universal machine, a contradiction [261 • To decide 
whether p halts , run p and at ttie same time enumerate 
CIV*4^(V)1*) looking for iPQ^^i^prP^ , V«;(0,0,l/(0)) 

where Pj is V=Caj'(0),0,U*{0)) . 

The crucial observation is that we will find this pea if and only 
if p does not halt. For certainly if we find It we know that 
by Lemma 2 the machine cannot get into the state (O^Oyf). 
Conversely, if the machine cannot get into this state, then by 
Lemmas 1 and 2 V^C{0,0,U (0)) wilt remain trt« no matter 
how often F is applied to V • 

This completes the proof of Theorem 16. | 

Corollary 17, Uhen CIJ is r.e. , CV4^{V)1* is not recursively 
tidy. 

Proof, Suppose IV«-F{V)1* to be recursively tidy. Ttien 
CIV^CV)!*! X CIV«^(V)3I*-I} 

S^ CIJ Th. U 

but this would imply that ttV«^^(V)J*J is r.e. , 
contradicting Theorem 16. I 

Theorem 18. If $ c P then CCV<-V+11*3 is recursively very tidy. 

Proof. <i[V^V+l]|*->P s 3n(n£V a ln/V]P). 

[IV^V+1J*)P = Vn(Vsn 3 Cn/VlP). | 

Theorem 19. (f) = «) = U . 

Proof. Straightforward. | 

Theorem 20. (aUb) = (a)n(b) . 

Proof. Straightforward. | 

Theorem 21. Ca-b) d (a>-<b) x (a)n(b) . 

Proof. Straightforward. ^ | 

Corollary 22. For a given program a, the structure 
{<<a">|n>0>, c) is a homomorph of tt» natural number division 
lattice (N, |) , with (a> as the least element and (I> as the 
greatest. Further, when a x IX«-F(X)1 with F uninterpreted, the 
homomorphism becomes an isomorphism. 

Proof. If m|n then (a"*) c (a"> . 

Further, when a x 1[X<-F(X)1 , if mfn then the formula 
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PCX) A Vx(P(x) D -.P(F(X))a-P(f2(X))a...aP(F'"{X))) 
(which makes P hold once every m epplicattons of F ) 
is an invariant of (strictly, is a projection of an invariant of) 
a*" but not of a" . | 

Theorem 23. (a*) = (a) 

Proof ■ This follows immediately from a* = U<a"|niO> , theorem 
20 and corollary 22 (the part of the corollary that says that (a) 
is the least element of <(a'^|n>0> ). | 

Theorem 24 (Star Interpolation Theorem). Let a* be tidy, with 
PCa*3R . Then there exists Q satisfying P3(bR and QCa}Q . 
(An equivalent statement of the theorem is that if a* is tidy, 
«:a*3 = CII»(a)-CI} .) 

Proof. We need only treat the case when a* is forward tidy; 
the other case is the exact dual. Choose Q » P{a*«>) . Then 
QdR since Q is the strongest consequent of P, and PdQ since 
'u ^ ** ■ ftereover (using an improved version of our original 
argument suggested by R. Rivest) 



since a*oa c a* 

Theorem 7; a* is forward tidy 

for some S c £f 

PCa*3S and Q is strongest 
Sfa3Q . I 

Corollary 25. Uhen all regular programs are tidy, Cal^^CI). 

e 

Proof. Ue proceed by induction on the height of a regular 
expression representing a. If a is an instriKtion, the result 
follows from Theorems 12 and 13. If a is the union or 
composition of two programs then Theorems 10 and 11 together with 
the induction hypothesis apply. If a = b* then by Theorem 24 faJ 
= CI}*(b)«CI} . By induction, all the components of this 
composition are r.e. reducible to CI) , hence so is Ca} . | 

Corollary 26. Under the conditions of Theorem 16, if £IJ is r.e. 
then tV^F(V)3* is not tidy. 

Proof. If it were tidy, then by Theorem 24 tCV4-F(V)33 would be 
CIJ»{|[V<-F(V)]|)o£n , which is r.e. because all of its components 
are r.e. But this would then contradict Theorem 16. | 
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PCa«3Q 


so 


PCa*-«JQ 


so 


P(Ca«}.€a})Q 


so 


P(a«3SCa}Q 


thus 


QdS 


whence 
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while the connection between KripKe semantics and programs was 
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drafts of this paper. 
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